The New York State Department of Financial Services (DFS) has decided to resolve an investigation of EyeMed Vision Care (EyeMed) into possible violations of the DFS Cybersecurity Regulation for $4.5 million.
EyeMed based in Ohio is a licensed medical insurance provider, which gathers and keeps sensitive consumer data as a business practice. The DFS investigated EyeMed Vision Care after EyeMed announced it suffered a phishing attack and discovered the data breach on July 1, 2020. Due to the response of an employee to a phishing email and the disclosure of credentials to a shared EyeMed mailbox, over 6 years’ worth of non-public consumer data, which include the data of minors, associated with vision benefits registration and insurance coverage. After getting access to the account, over 2,000 phishing emails were sent from the account by malicious actors to EyeMed clients to deceive them into sharing their EyeMed sign-in information. EyeMed became aware of the breached email account because its clients sent complaints about getting phishing email messages from EyeMed.
The investigation on EyeMed confirmed that unauthorized individuals accessed the email account from June 24, 2020, to July 1, 2020, which is when EyeMed discovered the breach and terminated their access to the email account. Information contained in the email account included those of roughly 2.1 million people, such as the information of 98,632 residents in New York.
The DFS decided that EyeMed violated the DFS Cybersecurity Regulation (23 NYCRR Part 500) because of the inability to impose multi-factor authentication for its email environment. Additionally, EyeMed had committed the following mistakes:
- unsuccessful in restricting user access privileges as nine workers accessed the impacted email account using the same login credentials
- did not enforce adequate retention limitations on data in the email account
- did not implement satisfactory data disposal processes
If EyeMed had enforced multifactor authentication, the phishing attack could have been averted. The appropriate information retention and disposal procedures could have minimized the extent of the data breach when it wasn’t possible to avoid it.
A deeper investigation showed that EyeMed hadn’t performed a thorough risk analysis, which is a key requirement of the DFS cybersecurity rules. In case a risk analysis was done, it would have identified the risks of using shared login information, the absence of multifactor authentication, and the insufficiency of data retention/disposal guidelines. Those pitfalls could then have been handled and minimized to a low and appropriate level. DFS additionally confirmed that the cybersecurity certifications of EyeMed from 2018 to 2021 were inappropriate.
Besides having to pay the financial penalty, EyeMed has consented to perform a thorough cybersecurity risk analysis and establish a comprehensive action plan that details how to address the identified risks n the assessment. The risk analysis and action plan should be examined and allowed by the DFS.
According to New York State Superintendent of Financial Services, Adrienne A. Harris, it is significantly crucial that consumers’ non-public data is protected from probable criminal activity. The first-in-the-nation cybersecurity legislation of DFS calls for New York-governed entities to take that work seriously. This resolution shows DFS’s continuing commitment to safeguarding consumers while protecting the security and soundness of financial organizations from cyber threats.
The Office of the New York Attorney General also investigated the phishing attack and data breach. It had identical conclusions and penalized EyeMed to pay $600,000 in January 2022.